fix(security): Prevent script injection in changelog-preview workflow

[fix-it-felix-sentry]

Summary

This PR fixes a high-severity security finding by preventing potential script injection in the changelog-preview GitHub Actions workflow.

Changes

Moved github.event.pull_request.head.sha from direct interpolation in the shell script to an environment variable. This follows GitHub's security best practices for handling untrusted context data.

Before:

run: |
  HEAD_SHA="${{ github.event.pull_request.head.sha || github.sha }}"

After:

env:
  HEAD_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
run: |
  # HEAD_SHA is now safely available as an environment variable

Security Impact

Direct interpolation of GitHub context data in shell scripts can allow attackers to inject malicious code. By using an intermediate environment variable, the value is safely escaped and prevents script injection attacks.

References

• Parent ticket: https://linear.app/getsentry/issue/VULN-1637
• Child ticket: https://linear.app/getsentry/issue/DI-1918
• GitHub Security Hardening Guide
• Semgrep Rule

[linear-code]

DI-1918 New Semgrep Finding for getsentry/craft